Lawmakers introduce bipartisan bill for Internet of Things security standards

The Internet of Things (IoT) Cybersecurity Improvement Act of 2019, a bipartisan, bicameral bill introduced March 11, would require the government to make sure that any devices it purchases meet minimum security requirements. It is being introduced by Sens Mark Warner (D-VA) and Cory Gardner (R-CO), and in the House by Reps Robin Kelly (D-IL) and Will Hurd (R-TX). The bill would try to prevent security vulnerabilities, which it defines as "any attribute of hardware, firmware, software, or combination of or more of these factors that could enable the compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected." Specifically, the bill would:

1. Direct the Office of Management and Budget (OMB) to issue guidelines for each agency that are consistent with the National Institute of Standards and Technology (NIST) recommendations, and charge OMB with reviewing these policies at least every five years
2. Require any Internet-connected devices purchased by the federal government to comply with those recommendations. And, direct NIST to work with cybersecurity researchers and industry experts to publish guidance on coordinated vulnerability disclosure to ensure that vulnerabilities related to agency devices are addressed.
3. Require contractors and vendors providing IoT devices to the US government to adopt coordinated vulnerability disclosure policies, so that if a vulnerability is uncovered, that information is disseminated.